We got a request from one of our customers, and since I've never encountered such a request before, I don't even know where to start looking.

Our customer is a network of colleges, and we're building them a site. On that site, among other things, will be a form which potential applicants can fill out in order to get more info about the studies in one of the colleges. After a user fills out this form - including giving their email and/or phone number - the relevant college then contacts them with the relevant info.

Now, for legal reasons, the client is asking that this form also have a checkbox that the potential applicant checks to indicate that they agree to get promotional material from these colleges. That's of course no problem. But here comes the weird part of the request:

The details of each filled out form have to be be saved in a reliable method. Apparently, saving the form values in a database - a column indicating if the user agreed or didn't agree - isn't enough, because a DB could be changed after the users has sent the form. Our client claims that other college portals create a screenshot of the filled-out form, and save it somewhere in a dedicated folder, in a manner that is easily found, such as giving the file a name that includes the user's name, and the date and time.

My question is as follows: have you heard of using screenshots as a method of proving a user has actually filled out a form? Are there other methods that are are considered reliable?

We're looking for long answers that provide some explanation and context. Don't just give a one-line answer; explain why your answer is right, ideally with citations. Answers that don't include explanations may be removed.

96

Screen shots can be modified as well - especially if just stored on disk somewhere.
–
ChrisF♦Dec 22 '11 at 11:48

41

Let me guess: it is a computer science professor who came up with this idea. Some of these people are fantastic. I do not know how they do it, but the ideas they come up with are often as surreal as if they were on acid.
–
Mike NakisDec 22 '11 at 11:51

32

Wait - they are saving the e-mail address and other personal information in the database, but the "security issue" they are worried about is whether that user mistakenly gets promotional e-mails?
–
Wonko the SaneDec 22 '11 at 14:29

11

"in a folder that isn't easily found" - aah, Security through obscurity! That's way more secure than a database kept on a secure server, requiring login credentials etc to get to...
–
DaveDec 22 '11 at 16:47

19

Even better than a screen shot would be if you could capture a video clip from their webcam of the user nodding and giving a big 'thumbs up' sign. Now THAT would be proof!
–
GrandmasterBDec 22 '11 at 19:34

19 Answers
19

I have never heard of something like that, and it would be ridiculous, because a fake screenshot can be produced just as easily as a fake value in a database.

EDIT Besides, I mean, WTF? since you cannot get a screenshot of someone's screen over the web, you will obviously have to reconstruct the page on the server and take a screenshot of that, and then who's to say you did not doctor it?

+1 Good point, I didn't consider that one could technically run a programmatic browser to render the HTML and then possibly send the page to a PDF document creating print driver.
–
maple_shaft♦Dec 22 '11 at 12:12

1

@jwenting Regardless as MikeNakis already pointed out, this can still be tampered with. You would need to either use electronically signed PDF's or create a hash off of the image so that you use it to validate the screenshot has not been tampered with.
–
maple_shaft♦Dec 22 '11 at 13:06

24

"just as easily"? The fake screenshots are much easier than hacking a database!
–
aitchnyuDec 22 '11 at 14:11

4

We do this in some of the applications I build.. Technically it is not a "screenshot" but for audit purposes we have to "reconstruct" the session as it was at the time. We achieve this by saving the data from the submitted form and then reconstructing it later. But having said that, that's just saved in a database and the "screenshot" is just a reconstruction of data we've saved. It just looks pretty to the people that want it.
–
DecoDec 22 '11 at 17:10

I know that I am beginning this answer with a question but I do have a point:

Without calling to question the supposed absurdity of the request, if this is a typical HTTP browser based web application how would one programatically capture a screenshot and send it to the server?

I would hope this is impossible as it would represent a serious browser security and privacy concern.

Now imagine if someones credit card number was also on the screen at the time of screenshot capture. Now you are inadvertently capture credit card information and your system should now be PCI compliant. This is another avenue of concern altogether.

The only way to do it would probably be using a third-party browser plugin like, Flash, Silverlight, Java Applets, or an ActiveX control with elevated system privileges. The component would need to be signed and the user would need to agree to the component having access to run code on their machine.

There are too many holes with this plan and I seriously doubt that other college's implement something similar. I have certainly never heard of this in my professional career, at least not with a web application.

EDIT:

I just thought of another option that would probably more greatly reflect what I think your client is really asking for.

I had an application I did for a client where the client had to agree and sign an NDA document to gain access to the application. I acheived this through a signable PDF document. You could have a signature field in a PDF document that by either using a pen+pad USB component or through just clicking it to acknowledge will for legal purposes be just as good as if you were to have physically signed the document by hand.

It is called an electronic signature and they do hold up in court.

The PDF document after being signed becomes encrypted and a hash is stored along with it that verifies the document has NOT been tampered with after signing. Modern PDF readers like Adobe can actually transmit a signed document to a server where you can store it in a document management system or database for safe keeping.

At any time administrator users can recall one of these documents and print them.

This may be more along the lines of what your customer actually needs, but had a poor time of explaining properly.

+1 for mentioning that this is technically possible, but would require a plug in
–
bunglestinkDec 22 '11 at 12:13

10

So what stops you from replacing the PDF with one that you have signed yourself? As far as I know, there isn't a robust public key infrastructure for dealing with individuals' identities.
–
Random832Dec 22 '11 at 14:54

1

@Random832 Checkmate my friend, you got me! I guess there isn't a 100% secure answer. Any system can be compromised.
–
maple_shaft♦Dec 22 '11 at 15:02

3

This would certainly not require a plug in; note that Google's latest feedback tools (on Google Plus and Youtube) actually do this "screenshot". You can easily send all the HTML on a current page via JAvascript and use the proper style sheet to reconstruct what an image would look like. Of course this is ^%&*ing absurd because you can just send the value of the check box.
–
Ben BrockaDec 22 '11 at 16:31

I would think the real question would be did the person whose name appears on the form really fill out the form?

In other words if someone goes to the website and enters the name "Bill Gates" and clicks the box "it's OK to send me email" how would a screenshot prove it was the real Bill Gates?

Have they considered doing what lots of sites do and that is send a verification email with a unique link that someone has to click on to confirm? That way at least you have a record that you have confirmation from someone with access to that email account.

Exactly. Verification email to ensure that the person requesting the emails has control of the email address in question. I'd also add that rather than having a legal record of people requested promotional materials, that you are just compliant with the CAN SPAM Act and make it very easy to unsubscribe to your promotional material. (Every email that sends promotional material even if its by a third party has a link to unsubscribe to all the lists you put them on.)
–
dr jimbobDec 22 '11 at 16:43

No such thing

This discussion needs to start with the understanding that there is no way to absolutely prove that the person agreed. This is true even in the physical world. Even if you video the person physically signing a form and putting a drop of their blood on the form, they can say that the video was faked, the blood was taken from them without their knowledge, and the signature was forged. But absolute proof isn't needed; just a reasonable amount of evidence.

In the digital world, any data - text, image, data in a database, or email - can be forged. The closest thing to proof we can have is for the user to encrypt something using a private key and show that their public key will decrypt it. However, this is currently beyond the ability of most users, and they could still say their private key was stolen.

The best we can do is:

Get something that would be difficult (though not impossible) to fake

Agree that, legally, that evidence is sufficient

Make it easy for the user to unsubscribe

Saving an image rather than text adds nothing in terms of proof; all it does is make the process slower and more expensive.

Electronic Signatures

In my job, we have an application where users sign a statement. Legally, the jurisdictions we operate in have passed laws saying that a user typing their email address into a form can count as an electronic signature. We have already verified that they have access to the address by sending a link they must click. That's not absolute proof, but it has been deemed good enough for our purposes.

Whatever information you capture, I'd suggest also capturing a timestamp, so you can say "you agreed at this exact date and time". I'm not sure if that has any legal relevance, but it seems more convincing to me, because it gives more opportunity for the user to prove otherwise ("I have proof that I was not at a computer at that time", for instance).

Going crazy with it

Some things you could do which might be considered evidence:

Capture timestamp, IP, browser, etc, so you can assert the circumstances of the signature

Require email address verification

Require the user to enter their password at the moment of signature

Arrange for there to be a write-only third-party web service running which will receive, at the moment the user signs, an HTTPS POST from your app with the signature info. If the third party can testify that their service is write-only, that they received the record at that moment, and your copy is identical, you could argue that you haven't modified the data since then.

Send the user an email at that moment saying "thanks for signing up, here's how to unsubscribe." Their email provider or yours may be able to show that the email was sent just after the user signed.

IANAL

"... and they could still say their public key was stolen." shouldn't that read "... and they could still say their private key was stolen." Stolen public key does not pose any security issues, in a well-designed PKI.
–
Lie RyanDec 22 '11 at 15:48

Another option would be to log the raw HTTP Post from the client. This would have their IP, where they came from, what browser, etc., without requiring a screenshot. You could then log this into a insert only table in raw form, or a simple flat log file...

Just trying to think up some other options because I tend to run into ridiculous requests like this much more often than I would like...

@maple_shaft: The basic idea of adding extra database security would be the "insert only" permissions for all users except one admin. This log would be in addition to regular database activities, and would only be used for verification when needed.
–
bunglestinkDec 22 '11 at 14:28

1

@JonnyBoats: You are technically correct about HTTPS, although once received at the application level, you will have the same raw text being logged.
–
bunglestinkDec 22 '11 at 14:30

1

"electronically signed PDF documents" or electronically signed anything "are the only way to ensure the document has not been tampered with" except by someone who possesses the key they are to be signed with.
–
Random832Dec 22 '11 at 14:49

1

@Random832: that's doable if the private key for the document are provided by the user, IMO that's way overkill for a checkbox indicating agreement to receive promotional materials.
–
Lie RyanDec 22 '11 at 15:44

A screenshot is easily fabricated, should you be so inclined. As is any kind of hashing, timestamping, etc, without a cryptographic basis. One presumes there is some stringent regulatory requirement for the college to be able to prove that they obtained positive consent before sending marketing material to people or trading their information to third parties.

The only reliable way to do this is by demanding a cryptographic signature from the user. For an example, see the way that the http://launchpad.net website asks you to cryptograpically sign the Ubuntu Code of Conduct.

This only has force of law in jurisdictions where a cryptographic signature may be used on a legal document, but by signing a specific piece of text, the user may provide proof of their assent that is later verifiable. It would be virtually impossible for the college to forge a correct signature from the same public key.

Note that it is still trivial for the college to update their database, and thus flip the consent field, and also to replace the public key with another for which they know the private key, and generate a valid signature for that key.

Therefore without a third party signing keys to attest that they belong to a particular individual, all this achieves is that the user can verify whether or not the college forged their privacy settings - without the third party signature, it's their word against the college.

If you further require that all key ownership is verified and the key signed by one or more trusted third parties, then the college will be unable to forge apparently valid signatures without a great deal more exposure (they would have to deceive or co-opt the trusted third party in order to get their bogus keys signed). The difficulty of this attack would increase with the number of required third party signatures, but as another poster notes, is not impossible.

So to summarize :

The user must own or generate a private / public key pair

The user must then obtain a signature for their public key from one or more trusted third parties

The user must upload their public key, at least to the college and preferably to a third party key repository

The user must sign a known plaintext and provide the signature as proof they they assented to sharing their private data

Practical problems :

Few people understand cryptographic signatures

The cost of third-party certification can be expensive

This seems like an awful lot of work to safeguard a junkmail checkbox in a college prospectus download page

I'd start by reading up on Electronic Signatures for the client's country/state with the focus of finding out what methods and requirements are legally binding. I'm positive that no country or state in their right mind would require a screenshot as the only method of proof for a binding electronic signature.

For example, in the U.S. 47 states have accepted the Uniform Electronic Transactions Act, which applies to "governmental matters" among other things and thus would likely apply to the college requirements. It has the following parts that may help:

..

Electronic signature - means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

(a) A record or signature may not be denied legal effect or enforceability solely because it is in electronic form.

(b) A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.

(c) If a law requires a record to be in writing, an electronic record satisfies the law.

(d) If a law requires a signature, an electronic signature satisfies the law.

..

Once I knew the laws, I'd estimate the cost of the best electronic signature method vs. the cost of the screenshot method.

Last, I'd discuss with them my findings. First, I'd explain to them the best option vs. the proposed option. Next, I'd explain to them the amount of time this would add to the project. Last, if I was in a place to do so, I'd tell them that this "feature" would add x dollars to the final bill. I'd be very sure to use the additional cost to me as justification for the additional cost to them.

If they still wouldn't budge, I'd see if they have a supervisor with some sanity I could have the same meeting with.

*I am not a lawyer, so please seek legal advice if you are unsure about anything.

This being a legal question, a real answer will of course depend on national and possibly even local laws and exact circumstances. So obviously a real answer can only come from a lawyer.

However, as far as my (limited) legal knowledge goes, I see no reason to assume a screenshot would be considered evidence for anything, as it is obviously very easy to fake.

Your best course of action is probably to explain to your client that this is essentially a legal problem, and that the help of a lawyer is required. Then discuss with them whether they want you to discuss it with a lawyer, or whether they want to do it themselves.

To get a feasible solution, you might want to do the discussing yourself (if the client agrees). If you don't want that hassle (or fear they might not be willing to pay you for it), let them do it.

Should the OP go this route I would suggest a middle ground approach, explain to the client they should discuss it with a lawyer but that the OP would like to be involved in those discussions if at all possible. That way the expense is directly on the client and there is less risk that the client mis-construes something the lawyer says when passing that information onto the OP.
–
Kevin DDec 22 '11 at 11:57

If you want to validate that a document remains unaltered (database record, whatever), the "best practice" goes like this:

Serialize the data in a reproducible way, including any fields that might be contentious (e.g. eMail address, whether a box is checked.)

Take the hash of that record (e.g. sha1)

Use the public key for a trusted third party (i.e. a disinterested third party) to encrypt this hash

Post the data in a public way to establish the date at which it existed, e.g. a newsgroup.

To validate, the third party can decrypt the hash and compare it to the now-current hash value.

This has been used to guarantee that insurance records weren't tampered-with; however, the "trusted third party" we paid a certain amount of money to, promulgated the hashes as they were signed back to ourselves and several other clients, so there were several custodians of records who could potentially be subpoena:ed to obtain proof.

This is clearly a ridiculous burden for something like validating a boolean field. But, if you show the client the expense involved, they'll probably stop being dumb.

While the request itself is absurd, and you cannot have a reasonably-done legal proof that a person A checked the checkbox when filling a form, there is a question inside your question which can be actually answered:

[How to ensure that the data was not altered later, while] a DB could be changed after the users has sent the form?

This, actually, may be easier to do technically.

1. Keep a proof that the data was not altered

Sending an e-mail to yourself (to a dedicated mailbox) with the values actually sent by the user is easy (well, it may be, depending on the configuration of your server, the threshold, the chances to be filtered as spam, the number of e-mails sent per second, etc.), and is enough to show that the data was not altered after it was submitted. For example, unless I have an unrestricted access to Google servers, I'm pretty sure every one will be convinced that I am unable to alter the contents of the e-mails I sent to my own GMail address.

2. Keep a proof that the data is correct

Chances are, the customer will not be satisfied, because even if you have a proof that the data was not altered afterward, how can we be sure the data was not modified between the submission of the form and the sending of information by e-mail (and commit to the database)? In this case, the next step is to:

Remove the checkbox,

Mark anyone who filled the form as unwilling to receive spam promotional material from your customers company,

Indicate to the visitors that they have to send an e-mail (with a predefined title and an empty body) to the dedicated mailbox in order to receive the spam commercial offers.

Their e-mails can be then processed automatically, and kept as a proof.

3. Keep a proof that the data is authentic

Now that you have a proof that the person using the given e-mail address actually wants to receive the spam, the customer may still be unsatisfied (which usually happens with customers having such crazy requests). What if someone hacked someone else's mailbox just to register the hackee to receive your spam?

At this level of craziness, you can still respond technically to the requirements. Now, instead of sending a opt-in e-mail, the user of the website have to:

Send a mail with a copy of ID/passport, and a letter, with a signature, saying that this person really wants to receive the spam.

Validate the e-mail address through a secret code which will be sent back.

But before doing this, convince the customer to implement what I described in part 2 and test it. The customer will see that after a month or two, nobody never send any opt-in e-mail, and will happily forget about legal proofs and altered data in the database.

The legal status of whatever you do is independent of the technical merit of the solution.

For example:

For years British members of parliament would ignore e-petitions because the law demanded that petitions carried a signature for each person. Then someone notice that a hash of an email address, date, time and comment -- even though it contained no secret key -- constituted a "digital signature" in the eyes of UK law.

Therefore, get a lawyer to tell you what to do, and do it. Don't worry whether it's sound.

Or, do what your client asks, trusting that they have checked with a lawyer. Make sure there's a record of the discussion.

How the bleep are you supposed to get a screenshot? What you've got is the HTML and whatever you're sending to the client, and the electronic response from the client. Neither involves a screenshot.

The screenshot is of what the browser renders, and will differ somewhat depending on browser in use and settings and equipment on the other end. Personally, I browse using Firefox, Chrome, Opera, Mobile Safari, occasionally Lynx, and even a little IE sometimes.

You could render the page in a standard browser on your end, and screenshot that, but making your own document and recording it isn't going to impress a judge. You could ask the user to send a screenshot, but good luck enforcing that. Not all browsing devices have an obvious way to take and send a screenshot (how do you do it on an iPhone?). If you're dealing with a vision-impaired customer using a screen reader, there may be no visual representation at all at the client end. (I saw a couple of blind friends of mine use a portable computer, which had no display whatsoever.)

So explain to the customer that there is no way of getting a screenshot, and there may not even be a screen to take a picture of.

It is actually possible to create a Mandatory Access Control in conjunction with a Trusted Timestamp Plus a Digital Signature for the database to ensure that the value of the column can be trusted. Screenshots are not the correct answer, there ARE however Trusted Computing solutions that achieve exactly what you wish to achieve. If you want more details you can start a chat with me.

A schema that is closest to being tamper-proof would be to generate a public/private key pair when the user filled-in the form using (client-side) Javascript, then send the form content, the public key, and the signature to the server, and present the private key to the user and ask them to take note and store it somewhere safe.

With this schema, you would be able to prove that it is impossible to tamper the form data since you did not know the private key that are used to generate the signature. The weakness of this schema is that you have to be able to prove that you never touched the private key, and that the user must not lose their private key.

Since you must be able to prove that you never had access to the private key, it may be necessary include the HTML and all Javascript when generating the form signature; this proves the exact form that the user uses to submit the data (therefore proving that you had not modified the form/javascript since their submission, therefore proving that you did not use javascript to steal their private key).

This schema is complex, and as with any complex system, I cannot guarantee that there isn't a hole (actually, I'm fairly confident that there is, and someone would probably be able to point it out).

A screenshot wouldn't be much proof, as there is no way of verifying that a screenshot is real. That could so easily be faked. As far as more technical solutions go, there is the archive storage engine for MySQL that only supports insert and select. You can't delete from the table at all. Mind you, it might be possible to ALTER TABLE to a different storage engine, delete the record, and then ALTER TABLE to change the engine back without anyone noticing, but hopefully you could limit that to root, and only allow root to log in locally. Then you could just track logins to the actual local database machine to figure out who possibly changed it. You could also analyze the binary logs, or enable the raw query log to see who could have issued queries which resulted in this kind of activity. I'm not sure which database technology you are using, but most likely you should be able to come up with a solution which prevents the data from easily being changed.

I'm going to recommend you sit down and read the ESIGN Act. This statute covers what is and isn't necessary to record an electronic signature in order for it to be legally binding. At a previous employer, we found that the most difficult statutory hurdle was to be able to make the signatures and docments readable for 10-15 years into the future.

The details of each filled out form have to be be saved in a reliable method. Apparently, saving the form values in a database - a column indicating if the user agreed or didn't agree - isn't enough, because a DB could be changed after the users has sent the form. Our client claims that other college portals create a screenshot of the filled-out form, and save it somewhere in a dedicated folder, in a manner that is easily found, such as giving the file a name that includes the user's name, and the date and time.

As others have pointed out, the screenshot is something that cannot be done. It can be faked, as all "magic" shows are pure fakery: you see someone getting sawed in half, but they are not actually getting sawed in half.

I've dealt with my share of crazy before. I can think of some technical solutions but why not go back to the client and suggest rewording the question to 'Do you not want to receive marketing emails?' (or similar wording) and allow the person to opt out? Then you don't need a screen shot.